Mobile user behaviour undermines corporate policies

Study by Absolute Software and Ponemon Institute indicate that half of UK business managers disable laptop encryption in violation of corporate security policies

Absolute Software and the Ponemon Institute announce the findings of a new study on the use of encryption on laptops by employees within corporations in the UK. The study titled, 'The Human Factor in Laptop Encryption: UK Study,' reveals that 50% of (non-IT) business managers polled, disable the encryption solution on their laptops. Study results indicate that it is employee behaviour that undermines traditional data security strategies among UK companies. Companion studies of US and Canadian companies are also available.

'The data suggests that, because of user behaviour, encryption alone is not enough to protect mobile devices and the sensitive data stored on them,' said Dr Larry Ponemon, chairman and founder of The Ponemon Institute. 'These statistics are especially disconcerting when combined with our recent studies demonstrating that lost or stolen laptops are the number one cause of data loss, with 3 out of 4 companies experiencing a data breach when a laptop has been lost or stolen."

The report shows that many business managers fail to take necessary precautions to secure their laptops, such as using additional security solutions, and instead are overly dependent on their encryption solutions to protect the sensitive data on their laptops.

* 50% of business managers have disengaged their laptop's encryption, 33% of these managers admit this is in violation of their company's security policy;

* Only 49% of business managers - employees most likely to have access to the most sensitive data (personally identifiable information and/or intellectual property) - have employer-provided encryption;

* 65% of business managers either keep a written record of their encryption password, or share it with others in case they forget it;

* Business managers are much more likely than IT security practitioners to believe encryption makes it unnecessary to use other security measures for laptop protection.

In the event of a theft, companies relying solely on encryption cannot be sure whether all stored data on a laptop has been encrypted, if it has been compromised, or even which files have been accessed by thieves. This can leave corporations with gaping holes in their security efforts, and risk exposing the company, employees, customers and consumers to data and identity theft. To help solve security risks that encryption alone cannot adequately address, companies can employ a security solution that can locate a stolen or lost laptop, detect which data has been accessed, and remotely delete sensitive data.

"This research highlights what Absolute has long-emphasised: while encryption technology provides a high-degree of data protection, it must be complemented by additional security layers that are not dependent on the diligent behaviour of corporate employees," said John Livingston, chairman and CEO of Absolute Software. "If I were tasked with data security, I would read this study in detail and immediately assess my company's data protection strategy, especially if I was reliant solely on encryption. Corporations may incorrectly assume that since it is company policy to encrypt mobile data, they are not at risk for a data breach. With more than half of business managers disabling their encryption solutions, companies are left incredibly vulnerable to theft and data loss if they do not utilise additional layers of security, such as those offered by Absolute."
Highlights and the complete reports for 'The Human Factor in Laptop Encryption' studies for the US, UK and Canada can be found on the Absolute Software website.